As the Internet and other networked computer systems become increasingly integrated into public activities (e.g., management and operation of governmental organizations) and private activities (e.g., personal activities, management and operation of households and businesses, etc.), malicious software (“malware”) poses an increasingly significant threat to such pursuits. Malware generally operates to disrupt operation of computer systems (e.g., by taking control of computational resources and using those resources for unauthorized purposes, by disabling individual computers or entire networks, by damaging or otherwise sabotaging system components, etc.) and/or to steal resources from computer systems (e.g., by gathering sensitive data). Malware can be deployed in many forms, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, keystroke loggers, rootkits, bots, crimeware, phishing scams, etc.
Computer users devote significant resources to detecting malware and preventing malware from disrupting the operations of their computer systems or stealing their computer-based resources. Conventional cybersecurity engines have relied extensively on static, signature-based techniques for detecting malware. In general, static, signature-based malware detection involves obtaining a copy of a file that is known to contain malware, analyzing the static features of the file (e.g., the sequence of bytes contained in the file) to extract a static signature that is characteristic of the malware, and adding the malware's static signature to a database (often referred to as a “blacklist”) of known malware. When a user attempts to access (e.g., download, open, or execute) a file, the cybersecurity engine scans the file and extracts the file's static signature. If the file's static signature matches a signature on the blacklist, the cybersecurity engine detects the presence of malware and intervenes to prevent the malware from executing (e.g., by quarantining or deleting the file).
Static, signature-based malware detection techniques are generally useful for quickly detecting known malware. However, these techniques can generally be circumvented by new malware that is not yet blacklisted (e.g., zero-day malware or next-generation malware) or by malware that modifies itself to avoid matching a static signature on the blacklist (e.g., oligomorphic, polymorphic, or metamorphic malware).
Some cybersecurity engines rely on behavior-based techniques for detecting malware. In general, behavior-based malware detection involves monitoring the execution of a process, identifying suspicious features of the process's execution (e.g., suspicious process behaviors, which may include unpacking code, modifying the host file, logging keystrokes, etc.). When suspicious behaviors are identified, the cybersecurity engine intervenes to protect the computer system (e.g., by terminating or quarantining the process) and assess the threat (e.g., by initiating a forensic investigation of the process, etc.).